From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.136; helo=mga12.intel.com; envelope-from=chao.b.zhang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DECD4225B028F for ; Tue, 20 Mar 2018 01:29:08 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Mar 2018 01:35:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,334,1517904000"; d="scan'208";a="27221395" Received: from czhan46-mobl1.ccr.corp.intel.com ([10.239.192.139]) by orsmga006.jf.intel.com with ESMTP; 20 Mar 2018 01:35:36 -0700 From: "Zhang, Chao B" To: edk2-devel@lists.01.org Cc: Long Qin , Yao Jiewen , Chao Zhang Date: Tue, 20 Mar 2018 16:35:33 +0800 Message-Id: <20180320083533.26316-1-chao.b.zhang@intel.com> X-Mailer: git-send-email 2.11.0.windows.1 Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2018 08:29:09 -0000 TPM2.0 command lib always assumes TPM device and transmission channel can respond correctly. But it is not true when communication channel is exploited and wrong data is spoofed. Add more logic to prohibit memory overflow attack. Cc: Long Qin Cc: Yao Jiewen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang Signed-off-by: Zhang, Chao B --- .../Library/Tpm2CommandLib/Tpm2Capability.c | 21 ++++++++++++++- .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++--- SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++-- SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 +++++++++++++++++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++- 7 files changed, 107 insertions(+), 10 deletions(-) diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c index 79e80fb7a9..42afe107a6 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Capability related command. -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -110,10 +110,18 @@ Tpm2GetCapability ( if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) { return EFI_DEVICE_ERROR; } + // + // Fail if command failed + // + if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) { + DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode))); + return EFI_DEVICE_ERROR; + } + // // Return the response // *MoreData = RecvBuffer.MoreData; // @@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg ( } CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY)); AlgList->count = SwapBytes32 (AlgList->count); + if (AlgList->count > MAX_CAP_ALGS) { + return EFI_DEVICE_ERROR; + } + for (Index = 0; Index < AlgList->count; Index++) { AlgList->algProperties[Index].alg = SwapBytes16 (AlgList->algProperties[Index].alg); WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties))); } @@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs ( if (EFI_ERROR (Status)) { return Status; } Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count); + if (Pcrs->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + for (Index = 0; Index < Pcrs->count; Index++) { Pcrs->pcrSelections[Index].hash = SwapBytes16 (TpmCap.data.assignedPCR.pcrSelections[Index].hash); Pcrs->pcrSelections[Index].sizeofSelect = TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect; + if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) { + return EFI_DEVICE_ERROR; + } CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect); } return EFI_SUCCESS; } diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c index 6f6b3693f8..3e42875b83 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 EnhancedAuthorization related command. -Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -178,19 +178,29 @@ Tpm2PolicySecret ( // // Return the response // Buffer = (UINT8 *)&RecvBuffer.Timeout; Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); + if (Timeout->size > sizeof(UINT64)) { + Status = EFI_DEVICE_ERROR; + goto Done; + } + Buffer += sizeof(UINT16); CopyMem (Timeout->buffer, Buffer, Timeout->size); PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer)); Buffer += sizeof(UINT32); PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if (PolicyTicket->digest.size > sizeof(TPMU_HA)) { + Status = EFI_DEVICE_ERROR; + goto Done; + } + CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size); Done: // // Clear AuthSession Content @@ -377,9 +387,13 @@ Tpm2PolicyGetDigest ( // // Return the response // PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size); + if (PolicyHash->size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } + CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size); return EFI_SUCCESS; } diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c index 8eacfe6c13..9c0b70dd93 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Integrity related command. -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -277,10 +277,14 @@ Tpm2PcrEvent ( // Unmarshal the response // Buffer = (UINT8 *)&Res.Digests; Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer)); + if (Digests->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + Buffer += sizeof(UINT32); for (Index = 0; Index < Digests->count; Index++) { Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); DigestSize = GetHashSizeFromAlgo (Digests->digests[Index].hashAlg); @@ -381,28 +385,37 @@ Tpm2PcrRead ( if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)) { DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize)); return EFI_DEVICE_ERROR; } PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count); - if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) { - DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize)); + if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) { + DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize Error - %x\n", PcrSelectionOut->count, RecvBufferSize)); return EFI_DEVICE_ERROR; } for (Index = 0; Index < PcrSelectionOut->count; Index++) { PcrSelectionOut->pcrSelections[Index].hash = SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash); PcrSelectionOut->pcrSelections[Index].sizeofSelect = RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect; + if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) { + return EFI_DEVICE_ERROR; + } CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelections[Index].sizeofSelect); } // // PcrValues // PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count); PcrValues->count = SwapBytes32(PcrValuesOut->count); + if (PcrValues->count > 8) { + return EFI_DEVICE_ERROR; + } Digests = PcrValuesOut->digests; for (Index = 0; Index < PcrValues->count; Index++) { PcrValues->digests[Index].size = SwapBytes16(Digests->size); + if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValues->digests[Index].size); Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) + PcrValues->digests[Index].size); } return EFI_SUCCESS; diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c index 9508022132..2b87260764 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 NVStorage related command. -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -232,13 +232,18 @@ Tpm2NvReadPublic ( // // Basic check // NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size); + if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) { + return EFI_DEVICE_ERROR; + } + NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize))); - if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize) { + if (NvNameSize > sizeof(TPMU_NAME) || + (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize)) { DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize)); return EFI_NOT_FOUND; } // @@ -630,10 +635,15 @@ Tpm2NvRead ( // // Return the response // OutData->size = SwapBytes16 (RecvBuffer.Data.size); + if (OutData->size > MAX_DIGEST_BUFFER) { + Status = EFI_DEVICE_ERROR; + goto Done; + } + CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size); Done: // // Clear AuthSession Content diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c index e070ff2f74..e9f693b65d 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Object related command. -Copyright (c) 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -107,15 +107,26 @@ Tpm2ReadPublic ( // // Basic check // OutPublicSize = SwapBytes16 (RecvBuffer.OutPublic.size); + if (OutPublicSize > sizeof(TPMT_PUBLIC)) { + return EFI_DEVICE_ERROR; + } + NameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize))); + if (NameSize > sizeof(TPMU_NAME)) { + return EFI_DEVICE_ERROR; + } + QualifiedNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize))); + if (QualifiedNameSize > sizeof(TPMU_NAME)) { + return EFI_DEVICE_ERROR; + } if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + QualifiedNameSize) { DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, OutPublicSize, NameSize, QualifiedNameSize)); return EFI_DEVICE_ERROR; } @@ -130,10 +141,13 @@ Tpm2ReadPublic ( OutPublic->publicArea.nameAlg = SwapBytes16 (OutPublic->publicArea.nameAlg); WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes))); Buffer = (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy; OutPublic->publicArea.authPolicy.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, OutPublic->publicArea.authPolicy.size); Buffer += OutPublic->publicArea.authPolicy.size; // TPMU_PUBLIC_PARMS switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@ Tpm2ReadPublic ( // TPMU_PUBLIC_ID switch (OutPublic->publicArea.type) { case TPM_ALG_KEYEDHASH: OutPublic->publicArea.unique.keyedHash.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, OutPublic->publicArea.unique.keyedHash.size); Buffer += OutPublic->publicArea.unique.keyedHash.size; break; case TPM_ALG_SYMCIPHER: OutPublic->publicArea.unique.sym.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, OutPublic->publicArea.unique.sym.size); Buffer += OutPublic->publicArea.unique.sym.size; break; case TPM_ALG_RSA: OutPublic->publicArea.unique.rsa.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, OutPublic->publicArea.unique.rsa.size); Buffer += OutPublic->publicArea.unique.rsa.size; break; case TPM_ALG_ECC: OutPublic->publicArea.unique.ecc.x.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, OutPublic->publicArea.unique.ecc.x.size); Buffer += OutPublic->publicArea.unique.ecc.x.size; OutPublic->publicArea.unique.ecc.y.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer)); Buffer += sizeof(UINT16); + if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, OutPublic->publicArea.unique.ecc.y.size); Buffer += OutPublic->publicArea.unique.ecc.y.size; break; default: return EFI_UNSUPPORTED; diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c index 305b6f2078..68a445bafc 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Sequences related command. -Copyright (c) 2013, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -373,10 +373,14 @@ Tpm2EventSequenceComplete ( BufferPtr = (UINT8 *)&Res.Results; // count Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr)); + if (Results->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + BufferPtr += sizeof(UINT32); for (Index = 0; Index < Results->count; Index++) { Results->digests[Index].hashAlg = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr)); BufferPtr += sizeof(UINT16); @@ -494,10 +498,14 @@ Tpm2SequenceComplete ( BufferPtr = (UINT8 *)&Res.Digest; // digestSize Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr)); + if (Result->size > sizeof(TPMU_HA)){ + return EFI_DEVICE_ERROR; + } + BufferPtr += sizeof(UINT16); CopyMem( Result->buffer, BufferPtr, diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c index f03b6689ac..0c9b310e54 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Session related command. -Copyright (c) 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php @@ -161,9 +161,13 @@ Tpm2StartAuthSession ( // // Return the response // *SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle); NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size); + if (NonceTPM->size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } + CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size); return EFI_SUCCESS; } -- 2.16.2.windows.1